DRP Sample

Disaster Recovery
&
Business Continuity
Template
ISO 27000, Sarbanes-Oxley, HIPAA, PCI DSS, COBIT,
and ITIL Compliant
Prepared by
Janco
Thisisasampl eofthefinalproduct
thesepagesareforyourr eview only
and areprot
ected byJanco’scopyright
PAGES HAVEBEEN EXCLUDED
Associates, Inc.
Park City, UT 84060
www.
e-j
anco.
com
email - support@e-janco.com
Web sites – http://www.e-janco.com - http://www.it-toolkits.com -- http://www.itproductivity.org
Version 5.6
© 2010 Copyright Janco Associates, Inc. ALL RIGHTS RESERVED
Enterprise logo here Disaster Recovery Business Continuity
Table of Contents 1
1.0 Plan Introduction .............................................................................................................. 12
1.1 Mission and Objectives .......................................................................................... 13
Compliance ............................................................................................................. 13
Implication of Legislated and Industry Standards Requirements ................................. 13
Sarbanes-Oxley ....................................................................................................... 14
COSO...................................................................................................................... 16
PCI DSS .................................................................................................................. 17
COBIT..................................................................................................................... 17
ISO 27000 Compliance Process .............................................................................. 18
Define the Control Environment ................................................................................ 18
Control the Environment by Implementation and Management ................................... 18
Audit and Examine the Control Processes .................................................................. 19
1.2 Disaster Recovery / Business Continuity Scope ..................................................... 20
1.3 Authorization ......................................................................................................... 20
1.4 Responsibility ......................................................................................................... 20
1.5 Key Plan Assumptions ............................................................................................ 21
1.6 Disaster Definition .................................................................................................. 22
1.7 Metrics ................................................................................................................... 22
1.8 Disaster Recovery / Business Continuity and Security Basics ..................................... 24
Servers .................................................................................................................... 24
Network.................................................................................................................. 25
Clients ..................................................................................................................... 26
Recovery Procedures.............................................................................................. 26
Communication ...................................................................................................... 26
Designated operators ............................................................................................. 26
Designated manager .............................................................................................. 27
External resources .................................................................................................. 27
Insurance ................................................................................................................ 27
NOTE – Due to incompatibilities between WORD 2003 and WORD 2007 you may need to regenerate the Table of Contents. The
Table of Contents was generated using WORD 2007 and if you use this document in any version other than WORD 2007 you will
have to update the Table of Contents and all update fields which link to unique pages in this template.
Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 2

2.0 Business Impact Analysis .................................................................................................. 28

2.1 Scope ...................................................................................................................... 28
2.2 Objectives ............................................................................................................... 29
2.3 Critical Time Frame ................................................................................................ 29
2.4 Application System Impact Statements ................................................................. 30
Essential ................................................................................................................. 30
Delayed .................................................................................................................. 30
Suspended .............................................................................................................. 30
2.5 Information Reporting ........................................................................................... 31
2.6 Best Data Practices ..................................................................................................... 32
2.7 Summary ................................................................................................................ 33
3.0 Backup Strategy......................................................................................................................... 34
3.01 Site Strategy ........................................................................................................... 34
3.02 Data Capture and Backups ..................................................................................... 37
Backup Strategy...................................................................................................... 38
3.03 Backup and Backup Retention Policy ........................................................................ 39
Policy ..................................................................................................................... 39
Applicability ............................................................................................................ 39
Backup Versus Archive ........................................................................................... 39
Archiving Implications Sarbanes-Oxley ...................................................................... 39
SOX – Section 802 .................................................................................................... 40
Record Retention Requirements ............................................................................... 40
Types of Backups .................................................................................................... 41
Storage Management............................................................................................. 42
Minimal Backup Policy ........................................................................................... 42
Requirements .......................................................................................................... 42
Backup Retention .................................................................................................... 43
Documentation and Backup Media Labeling ............................................................... 43
Storage ................................................................................................................... 44
Responsibilities ........................................................................................................ 44
Testing and Training ................................................................................................ 44
System Specific Backup Policy ................................................................................ 45
Backup Retention .................................................................................................... 46
Documentation and Backup Media Labeling ............................................................... 46
Storage ................................................................................................................... 47
Responsibilities ........................................................................................................ 47
Testing and Training ................................................................................................ 47
3.04 Communication Strategy and Policy ...................................................................... 49
DRP / BCP Communication Policy .......................................................................... 49
3.05 ENTERPRISE Data Center Systems ............................................................................ 51
Backup Files ............................................................................................................ 51
Storage Rotation .................................................................................................... 51
ENTERPRISE Data Center ......................................................................................... 51
Off Site Storage ....................................................................................................... 51
3.06 Departmental File Servers ...................................................................................... 51
Backup Files ............................................................................................................ 52


Department ............................................................................................................. 52
Off Site Storage ....................................................................................................... 52
3.07 Wireless Network File Servers................................................................................ 53
Backup Files ............................................................................................................ 53
Wireless Network File Server Area ............................................................................ 53
Off Site Storage ....................................................................................................... 53
3.08 Data at Outsourced Sites (including ISP’s) ............................................................. 55
Backup Files ............................................................................................................ 55
Outsourced Sites ..................................................................................................... 55
Off Site Storage ....................................................................................................... 55
3.09 Branch Offices (Remote Offices & Retail Locations) .............................................. 57
Backup Files ............................................................................................................ 57
Laptop location ........................................................................................................ 57
Off Site Storage ....................................................................................................... 58
3.10 Desktop Workstations (In Office) ........................................................................... 59
Backup Files ............................................................................................................ 59
Desktop Workstation location ................................................................................... 59
Off Site Storage ....................................................................................................... 60
3.11 Desktop Workstations (Off site including at home users) ..................................... 61
Backup Files ............................................................................................................ 61
Desktop Workstation location ................................................................................... 61
Off Site Storage ....................................................................................................... 62
3.12 Laptops ................................................................................................................... 63
Backup Files ............................................................................................................ 63
Laptop location ........................................................................................................ 63
Off Site Storage ....................................................................................................... 63
3.13 PDA’s and Smartphones ......................................................................................... 65
Backup Files ............................................................................................................ 65
Storage Rotation ..................................................................................................... 66
Laptop location ........................................................................................................ 66
Off Site Storage ....................................................................................................... 66
4.0 Recovery Strategy ............................................................................................................. 67
4.1 Approach ................................................................................................................ 67

4.2 Escalation Plans ...................................................................................................... 68

4.3 Decision Points ....................................................................................................... 69
Plan 1 ..................................................................................................................... 69
Plan 2 ..................................................................................................................... 70
Plan 3 ..................................................................................................................... 71
5.0 Disaster Recovery Organization ........................................................................................ 72
5.1 Recovery Team Organization Chart........................................................................ 73
5.2 Disaster Recovery Team ......................................................................................... 75
5.3 Recovery Team Responsibilities ............................................................................. 76
5.3.1 Recovery Management ............................................................................... 76
Senior Recovery Manager Responsibilities ................................................................. 76
Pre-Disaster ............................................................................................................. 76
Post-Disaster ............................................................................................................ 76
Recovery Manager Responsibilities............................................................................ 77
Pre-Disaster ............................................................................................................. 77
Post-Disaster ............................................................................................................ 77
5.3.2 Damage Assessment and Salvage Team ...................................................... 78
Damage Assessment and Salvage Team Responsibilities ............................................ 78
Pre-Disaster ............................................................................................................. 78
Post-Disaster ............................................................................................................ 78
5.3.3 Physical Security .......................................................................................... 79
Pre-Disaster ............................................................................................................ 79
Post-Disaster ........................................................................................................... 79
5.3.4 Administration ............................................................................................. 80
Pre-Disaster ............................................................................................................ 80
Post-Disaster ........................................................................................................... 80
5.3.5 Hardware Installation .................................................................................. 81
Pre-Disaster ............................................................................................................ 81
Post-Disaster ........................................................................................................... 81
5.3.6 Systems, Applications and Network Software............................................. 82
Pre-Disaster ............................................................................................................ 82
Post-Disaster ........................................................................................................... 82
5.3.7 Communications .......................................................................................... 83
Pre-Disaster ............................................................................................................ 83
Post-Disaster ........................................................................................................... 83
5.3.8 Operations ................................................................................................... 84
Pre-Disaster ............................................................................................................ 84
Post-Disaster ........................................................................................................... 84
6.0 Disaster Recovery Emergency Procedures........................................................................ 85
6.1 General ................................................................................................................... 86
6.2 Recovery Management .......................................................................................... 87
6.3 Damage Assessment and Salvage .......................................................................... 89
6.4 Physical Security ..................................................................................................... 92
6.5 Administration ....................................................................................................... 94
6.6 Hardware Installation ............................................................................................. 95
6.7 Systems, Applications & Network Software ........................................................... 97
6.8 Communications .................................................................................................... 99

6.9 Operations............................................................................................................100
7.0 Plan Administration ........................................................................................................101
7.1 Disaster Recovery Manager .................................................................................101
7.2 Distribution of the Disaster Recovery Plan ..........................................................102
7.3 Maintenance of the Business Impact Analysis .....................................................103
7.4 Training of the Disaster Recovery Team ..............................................................103
7.5 Testing of the Disaster Recovery Plan ..................................................................104
7.6 Evaluation of the Disaster Recovery Plan Tests ...................................................106
7.7 Maintenance of the Disaster Recovery Plan ........................................................107
8.0 Appendix .........................................................................................................................109
8.01 Plan Distribution...................................................................................................110
8.02 ENTERPRISE Sales Offices .....................................................................................111
8.03 Disaster Recovery Team Call List ..........................................................................112
8.04 Vendor Phone/Address List ..................................................................................114
8.05 Off-Site Inventory .................................................................................................118
8.06 Personnel Location Form ........................................................................................119
8.07 Hardware/Software Inventory .............................................................................120
8.08 People Interviewed ..............................................................................................121
8.09 Preventative Measures ........................................................................................122
8.10 Sample Application Systems Impact Statement ..................................................123
8.11 JOB Descriptions...................................................................................................124
Disaster Recovery Manager .................................................................................124
Position Purpose .................................................................................................... 124
Problems and Challenges ....................................................................................... 124
Essential Position Functions .................................................................................... 124
Principal Accountabilities ...................................................................................... 124
Authority................................................................................................................ 125
Contacts ................................................................................................................. 125
Position Requirements .......................................................................................... 125
Manager Disaster Recovery and Business Continuity ..........................................126
Authority................................................................................................................ 127
Contacts ................................................................................................................. 127
Position Requirements .......................................................................................... 127
Pandemic Coordinator .........................................................................................128
Authority................................................................................................................ 129
Contacts ............................................................................................................... 129
Position Requirements ........................................................................................... 129
Career Ladder ....................................................................................................... 130
8.12 Application Inventory and Business Impact Analysis Questionnaire ...................131

8.13 Key Customer Notification List .............................................................................153

8.14 Resources Required for Business Continuity........................................................155
8.15 Critical Resources to Be Retrieved .......................................................................156
8.16 Business Continuity Off-Site Materials .................................................................158
Off Site Stored Materials ............................................................................................... 158
Recovery Box ................................................................................................................. 158
8.17 Work Plan .............................................................................................................160
Project Initiation .................................................................................................... 161
Project Scheduling ................................................................................................. 161
Business Impact Analysis ....................................................................................... 162
Backup and Recovery Strategy .............................................................................. 162
Initial Implementation ........................................................................................... 163
Post Implementation ............................................................................................. 163
8.18 Audit Disaster Recovery Plan Process ..................................................................164
Audit Program ......................................................................................................164
Audit Program Overview ....................................................................................... 164
Suggested interviewees for Audit .......................................................................... 165
Objective #1 - Backup Procedures ................................................................................. 165
Objective #2 - Off-site Storage Facility .......................................................................... 165
Objective #3 - Disaster Recovery Plan ........................................................................... 165
8.19 Vendor Disaster Recovery Planning Questionnaire .............................................166
Vendor / Partner Information ....................................................................................... 167
DRP and Business Continuity Strategy ........................................................................... 168
Crisis Communication .................................................................................................... 170
Backup Facilities ............................................................................................................ 171
Testing ........................................................................................................................... 173
Prior DRP and BCP Plan Activations ............................................................................... 174
DRP and BCP Support .................................................................................................... 175
8.20 Departmental DRP and BCP Activation Workbook ..............................................176
Quick Reference Guide .................................................................................................. 177
Team Alert List ............................................................................................................... 178
Team Responsibilities .................................................................................................... 180
Team Leader Responsibilities / Checklist....................................................................... 180
General .................................................................................................................. 180
Critical Functions ........................................................................................................... 180
Normal Business Hours Response ................................................................................. 181
After Normal Business Hours Response ........................................................................ 181
Primary Location............................................................................................................ 182
Alternate Location ......................................................................................................... 182
Team Recovery .............................................................................................................. 183
Business Resumption Plan Copies ......................................................................... 183
Cellular Phone (TBD) .............................................................................................. 183
Team Work Area .................................................................................................... 183
Notifications .......................................................................................................... 183
Team Recovery Steps............................................................................................. 183
The team leader responsibilities............................................................................ 183
Departmental Meeting .......................................................................................... 184

Personnel Location Form ....................................................................................... 184

Status Report ......................................................................................................... 184
Travel Arrangements ............................................................................................. 184
Notification .................................................................................................................... 185
Notification Checklist ............................................................................................. 185
Notification Procedure .................................................................................................. 186
Notification Call List ....................................................................................................... 187
Project Status Report..................................................................................................... 188
Planned Activities for the Period ....................................................................................188
Accomplished Planned Activities ....................................................................................188
Planned Activities Not Accomplished .............................................................................188
Activity .................................................................................................................188
Reason ..................................................................................................................188
Expected completion............................................................................................188
Unplanned Activities Performed or Identified ................................................................188
Activity .................................................................................................................188
Reason ..................................................................................................................188
Impact on project .................................................................................................188
Planned Activities for the Next Period...................................................................... 189
Cost Data To Date ................................................................................................. 189
Open Issues and Resolutions .................................................................................. 189
Comments ............................................................................................................ 190
8.21 Web Site Disaster Recovery Planning Form .........................................................191
Backup Site .................................................................................................................... 192
Backup Site (Secondary) ................................................................................................ 193
Software Required to Operate Web Site ....................................................................... 194
8.22 General Distribution Information ...........................................................................195
What to do after an Explosion - Terrorist Attack .................................................196
How to Clean Up After a Disaster.........................................................................197
8.23 Business Pandemic Planning Checklist ....................................................................199
Plan for the impact of a pandemic on your business ...........................................199
Plan for the impact of a pandemic on your employees and customers ..............200
Establish policies to be implemented during a pandemic ...................................201
Allocate resources to protect your employees and customers
during a pandemic................................................................................................201
Communicate to and educate your employees ...................................................202
Coordinate with external organizations and help your community: ...................202
8.24 Disaster Recovery Sample Contract ......................................................................................203
Overview .........................................................................................................................203
1.a General principles...........................................................................................203
1b. Definition of a disaster ...................................................................................204
1c. Period of service .............................................................................................204
Prerequisites ...................................................................................................................204
Alignment........................................................................................................................205
3a. Specify kind of system, for example: Broking system ....................................205

3b. Specific data and applications .......................................................................205

3c. Backup facilities ..............................................................................................206
Provisions ........................................................................................................................207
4a. Office space ....................................................................................................207
4a-a. Work space .................................................................................................. 207
4a-b. Meeting space .............................................................................................. 207
4a-c. Storage space ............................................................................................... 208
4a-d. Safe ............................................................................................................. 208
4b. Office equipment ...........................................................................................208
4b-a. Telephone .................................................................................................... 208
4b-b. Fax .............................................................................................................. 208
4b-c. E-mail........................................................................................................... 208
4b-d. Mail, courier, and messenger services ............................................................ 208
4b-e. Stationery, photocopying, and other facilities .................................................. 208
4c. Computer equipment .....................................................................................208
4c-a. PC ................................................................................................................ 209
4c-b. Printer .......................................................................................................... 209
4c-c. Backups (initial data load) .............................................................................. 209
4c-d. Backups (within service provision) .................................................................. 209
4c-e. Specify platform from which data should be backed up ................................... 210
4c-f. Periodic processing ........................................................................................ 210
4c-g. Broking system GUI applications .................................................................... 210
4d. Specialist requirements ..................................................................................210
4d-a. Non-standard items....................................................................................... 210
4d-b. Slips, cover notes, and other documents ........................................................ 210
4e. Restrictions...................................................................................................... 211
Termination Procedure ...................................................................................................211
5a. Termination of Service ...................................................................................211
5b. Termination of the agreement .......................................................................211
Responsibilities ...............................................................................................................211
Testing the Plan ..............................................................................................................212
9.0 Change History ........................................................................................................................213
Version 5.6 – Release date February 2010 .....................................................................213
Version 5.5 – Release date January 2010 .......................................................................213
Version 5.4 – Release date May 18, 2009 .......................................................................213
Version 5.3 – Release date January 2, 2009....................................................................213
Version 5.2 – Release date August 1, 2008 .....................................................................213
Version 5.1 – Release date July 1, 2008 ..........................................................................213
Version 5.0 – Release date February 21, 2008 ...............................................................214
Version 4.5 – Release date November 2, 2007 ...............................................................214
Version 4.4 – Release date September 1, 2007 ..............................................................214
Version 4.3 – Release date July 26, 2007 ........................................................................214
Version 4.2 – Release date February 1, 2007 .................................................................214
Version 4.1 – Release date August 28, 2006 ...................................................................214
Version 4.0 - Release date March 5, 2006 ......................................................................215
Version 3.1 - Release date January 2, 2006 ....................................................................215
License Conditions ..........................................................................................................216

1.0 Plan Introduction

ENTERPRISE recognizing their operational dependency on computer systems, including the Local
Area Network (LAN), Database Servers, Internet, Intranet and e-Mail, and the potential loss of
revenue and operational control that may occur in the event of a disaster; authorized the
preparation, implementation and maintenance of a comprehensive disaster recovery plan.
The intent of a Disaster Recovery Plan is to provide a written and tested plan directing the
computer system recovery process in the event of an interruption in continuous service resulting
from an unplanned and unexpected disaster.
The Disaster Recovery Plan preparation process includes several major steps as follows:
Identify Systems and Applications currently in use

Analyze Business Impact of computer impact and determination of critical
recovery time frames
Determine Recovery Strategy
Document Recovery Team Organization
Document Recovery Team Responsibilities
Develop and Document Emergency Procedures
Document Training & Maintenance Procedures
These steps were conducted and this document represents the completed effort in the
preparation of the ENTERPRISE Disaster Recovery Plan.

1.1 Mission and Objectives

The mission of the Disaster Recovery Plan is to establish defined responsibilities, actions, and
procedures to recover the ENTERPRISE computer, communication, and network
environment in the event of an unexpected and unscheduled interruption. The plan is
structured to attain the following objectives:
2
Recover the physical network within the Critical Time Frames established and
accepted by the user community
Recover the applications within the Critical Time Frames established and
accepted by the user community
Minimize the impact on the business with respect to dollar losses and
operational interference
Compliance
Various compliance frameworks can be used to assess BCP measures—ISO, COBIT,
COSO, etc.—but key aspects are similar:
COSO requires data center operation controls and transaction management

controls in order to ensure data integrity and availability.
ISO 1799 has a section entitled Business Continuity Management that requires
testing, maintaining, and reassessing a business continuity plan.
ISACA's COBIT requires uninterruptible power supplies under its Manage
Facilities section.
NIST requires contingency and continuity plans and management.
As a general rule, in order to test BCP/DR compliance within an organization, a team of

qualified, knowledgeable internal auditors should be created, reporting to a different
member of the board than the BCP team reports to. This team of internal auditors
should test to ensure that the BCP plan and process meet the compliance requirements
discussed in the following sections.
Implication of Legislated and Industry Standards Requirements

3
There are a number of legally mandated and standards mandated issues that
need to be covered in the Disaster Recovery / Business Continuity Planning
Process.
2
Critical time frames include both the point in time that the recovery will be set to and the point in time that the recovery will be
completed and the enterprise can be back in operation.
3
This section is for informational purposes and can be excluded from the plan.

Site Strategy Recovery Comments

Time
Commercial 24 to 48 Often the most cost effective strategy for data center recovery strategies.
Hot Site hours This is a market dominated by SunGard and IBM Global Services. Clear
contract terms need to be .defined which meets the enterprise service
objectives. Consideration should be made for disasters which impact entire
regions such as hurricanes and earthquakes.
Mobile Data Center / Office 24 to 48 Pre-configured mobile resources for data center or client workspace
Space hours recovery. This approach avoids employee travel issues but has limitations on
equipment availability and outbound bandwidth if very small aperture
satellite terminal (VSAT) links must be used for communications. Businesses
also typically assume that they can be placed in the parking lot of the
affected site, so if the disaster profile includes events such as hurricanes,
floods or toxic spills, these solutions may not be appropriate.
Internal Hot Site 1 to 12

This is typically the most expensive option since there is an added cost for
hours
internal provisioning of the necessary excess capacity. If costs can be shared
among multiple facilities within the enterprise, internal provisioning can be
Thisisacost
samp leofwith
competitive the f inalpr
commercial oduct In light of legislation such as
alternatives.
thesepagesar
Sarbanes e forand
–Oxley yothe
ur rev
need ieprotection
for w onl yof sensitive information this is
and arepr
o t e c te d b y Ja
often the best solution.n c o ’
s c o p y rig ht
Organizations with strict data currency needs and aggressive recovery-time
www.
objectivese -j
haveafound
nco. com hot-site strategies to be the only viable option.
internal
If no appropriate secondary space is available within existing property,
suppliering and “co-location” facilities providers offer managed raised-floor
space at very attractive rates as an alternative to building out secondary
sites.
Cold Site 72 plus "Environmentally appropriate" space can be either provisioned internally or
hours contracted from a commercial facilities service provider. Cold-site strategies
are usually based on "quick-ship" delivery agreements to allow server,
storage, and communications hardware and network service providers to
quickly build out the data center and/or client workspace infrastructure.
In the case of an extensive disaster such as a hurricane or earthquake this
option is less favorable
Reciprocal Site 12 to 48 This is typically a formal agreement between two trusted, non-competing
hours partners in different industries in which each provides secure sites for the
other. This option is the least favorable and has the greatest risk associated
with it.

Backup Strategy
Backups can be accomplished locally, centrally or both. There are
advantages and disadvantages to each. The table below lists some of the
advantages and disadvantages of each.
Disaster Recovery Advantage Disadvantage

Backup Alternatives
Local Backup • Backup quicker • More hardware required
• Minimal bandwidth usage • More staff required
• Quicker restore in minor • Security risks increased
recovery situation • Riskier restore in a major
recovery situation.
Central Backup • Hardware requirement less • More bandwidth required
Thi si sasampl eoft hef i
nalpr oduct
• Less staff required • Backup takes longer to
•
t hesepagesar
Less training
efor yourr
complete evi ew onl y
• a n d a r e p ro te c
Quicker restore in a major t
e d by J a n co ’s c o p
• Restore takes longer in y r i
g ht
PAGES HAVEBEminor
recovery situation. EN E XCLUDE
recovery D
situation
• Security risks lower
Coordinated Local and • Recovery time eased www. e-
•jaMore
nco. com required
hardware
Central Backup • Enterprise risks reduced • More staff required
• Easier to coordinate DRP • More training required
and Business Continuity • More bandwidth required
Plans

3.03 Backup and Backup Retention Policy
Policy
The purpose of this policy is to define the need for performing periodic computer system
backups to ensure that mission critical administrative applications, data and archives and
applications, users' data and archives are adequately preserved and protected against data loss
and destruction. Each ENTERPRISE unit responsible for providing and operating a mission critical
application must document and perform System Specific Data Backup or at least Minimal Data
Backup on a periodic basis.
Computer systems that create or update mission critical ENTERPRISE data on a daily basis need
to be backed up on a daily basis to minimize the exposure to loss of mission critical data. The unit
responsible for providing and operating such systems must conduct a systematic and detailed
investigation of all the influencing factors leading to the compilation of a comprehensive System
Specific Data Backup Policy. System specific backup policies policy must at least fulfill the
requirements of the Minimal Data Backup Policy.
Applicability
This policy applies to all units operating of ENTERPRISE. This backup policy is defined to protect
against the following situations:
Thi
sisasampl
eoft
hef
inalpr
oduct
Destruction of data media by force majeure, e.g. fire or water
t hesepagesar ef oryourr evi ew onl y
Deliberate and/or accidental deletion of files with computer-viruses etc
a n d a r e p ro te ct e d b y J a n
Inadvertent deletion or overwriting of files
c o’ s co p yrig ht
Technical P AGE
failure ofS HAV
storage EBE
device ENcrash)
(head EXCLUDED
Faulty data media
Demagnetization ofwww.
magnetice - j
dataamedia
nco. coto
due mageing or unsuitable
environmental conditions (temperature, air moisture)
Interference of magnetic data media by extraneous magnetic fields
Uncontrolled changes in stored data (loss of integrity)
Backup Versus Archive

A backup process takes periodic or real-time images of active data in order to provide a method of
recovering records that have been deleted or destroyed. Most backups are retained only for a few
days or weeks as later backup images supersede previous versions.
A backup is designed as a short-term insurance policy to facilitate disaster recovery, while an

archive is designed to provide ongoing access to decades of business information. Archived
(historical) records are placed outside the traditional backup cycle for a long period of time, while
backup operations protect active data that's changing on a frequent basis.
Archiving Implications Sarbanes-Oxley

A record is essentially any material that contains information about ENTERPRISE’s plans, results,
policies or performance. In other words, anything about ENTERPRISE that can be represented

5.0 Disaster Recovery Organization

The effectiveness and operability of the Disaster Recovery Plan is dependent on the knowledge
and expertise of the personnel who develop and execute the plan. It is essential to determine
which talents are required and to assign personnel who meet those requirements.
A recovery from a disaster is best conducted by teams of personnel that are formed to perform
specific functions (e.g., hardware acquisition, hardware installation, operations). The number
and types of teams are dictated by the size and type of computer processing capabilities and
facility the plan is being developed to recover.
The organization of the staff to recover the system is designed for the worst case situation. The
worst case, requiring a move to the alternative site, must be executed by a coordinated team to
minimize the operational impacts to end-users, senior management and ENTERPRISE as a whole.
The Disaster Recovery Team Organization, therefore, is set up to accomplish:
Expeditious and efficient recovery of computer processing;

Intermediate and minor impact/expenditure decisions within the Information
Technology personnel during the recovery process;
Major impact/expenditure decisions at the management level; and
Streamline reporting of recovery progress from recovery teams upward to
senior management and end-users.

5.1 Recovery Team Organization Chart
Senior Recovery
Manager
Recovery
Manager
Thisisasampl eoft hef inalpr oduct

thesepagesar eforyourr evi ew onl y
and ar eprot ect ed byJan co’ scopyr
Systems, i
ght
Damage Physical Administration PAGE S HA V
Hardware E BEEN E X C L UDE
Application & D Communications Operations
Assessment & Security Pandemic Installation Network Software
Security Coordinator www.
e-j
anco.
com

Enterprise logo here
The purpose of this questionnaire is to determine the criticality of the applications used at ENTERPRISE. The information
provided will be used to develop a Application Inventory that can be used in the Disaster Recovery Plan that minimizes
the impact of the loss of this application in the event of a disaster. (PLEASE USE ADDITIONAL BLANK PAPER OR
ATTACHMENTS WHEREVER NECESSARY)
Facility / Business Function / Application
Name: _____________________________________________________________________________________
Provide a brief description/purpose – mission: ______________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
What are the main functions? ___________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
Thi
sisasampl
eoft
hef
inalpr
oduct
Was this developed in-house or purchased from a vendor? If purchased from a vendor, do you hold the plans,
t
hesepagesar ef oryourr evi ew onl
source code etc: _____________________________________________________________________________ y
and ar
epr
otect
ed byJanco’
scopyr
ight
__________________________________________________________________________________________
If the application is a purchased package, are there extensive modifications to this application (briefly describe
www. e- janco. com
modifications): ______________________________________________________________________________
__________________________________________________________________________________________
__________________________________________________________________________________________
What programming language was used to create the application? ______________________________________
__________________________________________________________________________________________
How old is this application (maturity)? ____________________________________________________________
Who is the owner of this application (i.e. Joe Smith of Accounting)? ____________________________________
__________________________________________________________________________________________
Application / File Servers
Provide the following information for each application and file server:
• Host name
• IP address and mask for the server
• Administrative contact for the server and security contact (i.e. primary user or department head name and phone number)
• User Types
• Operating system including version number
• Application Software including version number
• Review status (Yes/No, Date. Reviewer)
• Connectivity (Internet, Intranet, modem In, modem out, other
• Physical location (Address / phone number for contact
Host Name: _________________________ Reviewer Name: _______________________________ Date: _________________
IP Address / Mask User Types Administrative Contact Connectivity Physical Location
 Public Name: _______________________  Internet Address: __________________

___.___.___.___
 Customers  Intranet
 Employees Email: _______________________  Modem In Bound Contact::__________________
___.___.___.___  Groups Employees  Modem Out Bound
(mask)  Specific Employees Phone: ______________________  Other: ____________ Phone: ___________________
 _______________
IP Address Range Operating System OS Version / Reviewed Application App Version / Reviewed
___.___.___.___  Windows WS Ver: ____________  Yes  No  _________________ Ver: _________  Yes  No

 Windows Server Ver: ____________  Yes  No  _________________ Ver: _________  Yes  No
to
 Unix Ver: Thi si
____________sa samp
Yes No l
eo_________________
ft hef inalpr odu
Ver: ct
_________  Yes  No
 Lynx. Ver: ____________  Yes  No  _________________ Ver: _________  Yes  No
 Other Ver: thesep
____________ aYes
ges a r
No efo ryourr evi ewVer:
_________________ o_________
nl y  Yes  No
___.___.___.___ _______________ and ar epr ot ect edb yJanco’ scop
_________________ yr
Ver: ight
_________  Yes  No

Comments: __________________________________________________________________________________________
www.
e-j
anco.
com
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
____________________________________________________________________________________________________
ENTERPRISE
Vendor Disaster Recovery Planning Questionnaire
DRP and Business Continuity Strategy
1 In the event of a disaster or significant Yes ________ or No ________

disruption, does your organization have
documented plans for business continuity
and IT disaster recovery? (NOTICE: if
your firm has no plan in place and has not
intention of implementing a plan then your
firm should be aware that our vendor /
partnership relationship is subject to
cancellation)
2 What type of failure scenarios or outages ______________________________________________________

do you plan for? ______________________________________________________
_____________________
3 What duration of time is assumed for each ___________________________(please specify # and hours, days,
type of failure scenario or outage you plan weeks, months, etc. for each type)
for?
4 Does the plan establish critical business Yes ________ or No ________

functions with recovery priorities?
Thisi sasampl eoft hef inalproduct
thesepagesar
0 – 4 hours eforyourr
_____ eview only
4 – 8 hours _____
5 If you answered “Yes” to Question (4),
what is the expected recovery time for
and a re p ro tec
Within one day
ted by Ja
_____
nco’scopyright
your critical business functions? P1A– GE S HAVEBE
2 days EN EXCLUDED
_____
More than 2 days _____
www.
Other (please e- ja
specify) nco.
_____ com
N/A _____
6 Does the plan account for Yes ________ or No ________

interdependencies both internal and
external to your organization?
Version History
9.0 Change History
Version 5.6 – Release date February 2010

Updated Business and IT Impact Questionnaire
Updated for COBIT compliance
Updated for PCI-DSS compliance
Updated for US state level compliance (New York, Massachusetts, and California)
Update for ISO security requirements
Version 5.5 – Release date January 2010

Updated to comply with CobiT requirements
Sample Disaster Recovery Plan Service Agreement
Version 5.4 – Release date May 18, 2009

Added Pandemic Coordinator job description
Added Business Pandemic Planning Checklist
Updated organization chart to include Pandemic Coordinator
Corrected minor errata
Version 5.3 – Release date January 2, 2009

Updated backup and backup retention section
Updated style sheet to be CSS Style sheet format
Added Disaster Recovery Business Continuity General Distribution Information
What to do after an explosion / terrorist attack
How to clean up after a disaster
Version 5.2 – Release date August 1, 2008

Updated style sheet to WORD 2007 format
Updated forms and charts
Version 5.1 – Release date July 1, 2008

Added sample Backup and Backup Retention Policy
Minor formatting changes
Version History
Version 5.0 – Release date February 21, 2008

Updated Disaster Recovery / Business Continuity Plan Audit Program to be compliant with ISO 27000
Series (ISO 27001 and ISO 27002)
Added a section on Communication Strategy and Policy to be implemented when the Disaster Recovery /
Business Continuity Plan is activated
Added a section on Disaster Recovery / Business Continuity and Security basics
Added Personnel Location Report
Added Project Status Report Form
Version 4.5 – Release date November 2, 2007

Added Disaster Recovery / Business Continuity Plan Audit Program
Updated excel work plan to refer to sections versus pages
Version 4.4 – Release date September 1, 2007

Section added on implications of Sarbanes-Oxley, Treadway Commission, and PCI DSS requirements
Disaster Planning Branch Offices added
Backup strategy table added
Backup strategy for PDA’s updated to reflect Smartphones
Version 4.3 – Release date July 26, 2007

Defined generic metrics for DR/BC success
Business & IT Impact Analysis Questionnaire Updated
Updated references to DRP card
Updated formatting to meet WORD 2007 requirements
Version 4.2 – Release date February 1, 2007

Added Section defining the ISO 17799 compliance requirements
Review and modified entire DRP/BCP template to ensure compliance with ISO 17799
Business & IT Impact Questionnaire updated to meet ISO 17799 compliance requirements
Corrected errata
Added Best Data Retention and Destruction Practices Section
Version 4.1 – Release date August 28, 2006

Department DRP / BCP Activation Workbook Updated in the appendix
Correct work plan formatting and numbering for project initiation
Web Site Disaster Recovery Planning Form added to the appendix
Version History
Version 4.0 - Release date March 5, 2006

Vendor Disaster Recovery Planning Questionnaire added to the appendix
Department Disaster Recovery Planning Workbook added to the appendix
Vendor Phone List form updated
Key Customer Notification List form added
Critical Resources to be Retrieved form added
Business Continuity Off-Site Materials form added
Version 3.1 - Release date January 2, 2006

Site Strategy section added (Section 3.1) all other section numbers in Chapter 3 were increased to adjust
for this modification.
Audit Disaster Recovery Plan Process added (Section 8.13)
Manager Disaster Recovery and Business Continuity job description added
Entire template reviewed to validate compliance with Sarbanes-Oxley

DRP Sample

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

DRP Sample

Enviado por

Direitos autorais:

Formatos disponíveis

Disaster Recovery

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 2

2.0 Business Impact Analysis .................................................................................................. 28

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 3

Storage Rotation .................................................................................................... 52

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 4

4.2 Escalation Plans ...................................................................................................... 68

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 5

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 6

8.13 Key Customer Notification List .............................................................................153

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 7

Personnel Location Form ....................................................................................... 184

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 8

3b. Specific data and applications .......................................................................205

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 9

1.0 Plan Introduction

Identify Systems and Applications currently in use

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 12

1.1 Mission and Objectives

COSO requires data center operation controls and transaction management

As a general rule, in order to test BCP/DR compliance within an organization, a team of

Implication of Legislated and Industry Standards Requirements

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 13

Site Strategy Recovery Comments

Internal Hot Site 1 to 12

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 35

Disaster Recovery Advantage Disadvantage

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 38

3.03 Backup and Backup Retention Policy

Backup Versus Archive

A backup is designed as a short-term insurance policy to facilitate disaster recovery, while an

Archiving Implications Sarbanes-Oxley

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 39

5.0 Disaster Recovery Organization

The Disaster Recovery Team Organization, therefore, is set up to accomplish:

Expeditious and efficient recovery of computer processing;

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 72

5.1 Recovery Team Organization Chart

Thisisasampl eoft hef inalpr oduct

Version 5.5 © 2010 Copyright Janco Associates, Inc. - http://www.e-janco.com Page 73

Provide a brief description/purpose – mission: ______________________________________________________

What are the main functions? ___________________________________________________________________

What programming language was used to create the application? ______________________________________

How old is this application (maturity)? ____________________________________________________________

Application / File Servers

Host Name: _________________________ Reviewer Name: _______________________________ Date: _________________

IP Address / Mask User Types Administrative Contact Connectivity Physical Location

 Public Name: _______________________  Internet Address: __________________

___.___.___.___  Windows WS Ver: ____________  Yes  No  _________________ Ver: _________  Yes  No

PAGES HAVEBEEN EXCLUDED

DRP and Business Continuity Strategy

1 In the event of a disaster or significant Yes ________ or No ________

2 What type of failure scenarios or outages ______________________________________________________

4 Does the plan establish critical business Yes ________ or No ________

6 Does the plan account for Yes ________ or No ________

9.0 Change History

Version 5.6 – Release date February 2010

Version 5.5 – Release date January 2010

Version 5.4 – Release date May 18, 2009

Version 5.3 – Release date January 2, 2009

Version 5.2 – Release date August 1, 2008

Version 5.1 – Release date July 1, 2008

Version 5.0 – Release date February 21, 2008

Version 4.5 – Release date November 2, 2007

Host Name: _________ Reviewer Name: _ Date: ___

 Public Name: _____  Internet Address:

_._._._  Windows WS Ver: ____  Yes  No  _ Ver: _  Yes  No

1 In the event of a disaster or significant Yes or No

4 Does the plan establish critical business Yes or No

6 Does the plan account for Yes or No